11032015_GoogleBotDDos_Blog

welcome to http://www.startdays.com
welcome to http://www.ijachouf.com
welcome to http://www.swtools.biz
welcome to http://www.decoderhd.com

[13]11032015_GoogleBotDDos_Blog

Every once in a while we get a glimpse into rare and strange behavior
that doesn't involve the website being hacked, but causes major
problems for website owners. We have spoken recently about
[14]malicious referral spam in Google Analytics and [15]Google Search
Console being used by attackers after they gain access to a website.

Today, we're going to look at how Googlebot ended up accidentally
crashing a site after we cleaned up a large scale spam infection on a
website. If you use Google Search Console / Webmaster Tools (and you
should) we offer specific instructions to make sure you aren't affected
if you find yourself in a similar situation.

Indicators of Compromise (IoC)

Let's start with analyzing the signs of this type of mass spam
infection which lead to the issue with Googlebot.
1. It creates tens of thousands of Japanese spam files on the website,
usually JavaScript and HTML.
2. It changes the Title and Description in your Google search results
pages.
3. It usually impacts the disk quota of your hosting account suddenly
due to the large number of files being created.

Infection Details

Now let's analyze how this Japanese spam campaign works:
1. Attackers create doorway pages on an infected site in order to rank
them in Google results for relevant search queries.
2. When searchers click on these results the doorway redirects them to
third-party sites that the hackers really want to promote.
Here's where it gets interesting. Google will only rank the doorway
pages if there are many incoming links to those doorway pages. This
is one of the main ways that Google identifies "good" search
results as part of its algorithm.
It's difficult to expect that anyone would link to doorway pages
only hackers know about. That's why the attacker places links to
their sites on other doorways that they have created on other
hacked websites.
Here's an example using [16]Unmaskparasites to uncover one of those
doorways and its external links from hacked sites:
Report of spam
3. Now let's do the math.
+ Typical spam campaign infects around 3,000 sites.
+ Each site, as we know has at least 25,000 spam pages/doorways
(usually more).
+ Each doorways has at least 5 links to other hacked sites.
+ This gives us around 125,000 outgoing links per hacked site.
+ Since they are evenly distributed between all the compromised
sites, it means that each hacked site has about 40 links to
every other hacked site.
This means that all the hacked sites, combined, have around
125,000 thousands links to doorways on each individual hacked
site. Even this is probably an underestimation since they
usually create more than one directory with spam files, each
of which contains 20,000+ spam files.

As you see, there are an enormous amount of incoming links to your
site, and Google can see them too.

The Impact of Spam on Search Engine Optimization (SEO)

Now let's take a look at how this problem of incoming spam links
affects your SEO and what happens once you clean them up:
* As we previously calculated, there's probably over 125,000
references on the web pointing to the spam on your website, so this
means that Googlebot will eventually crawl them on the other
infected sites and start crawling your website for those links.
* If the spam is not cleaned up promptly it can cause a sharp drop in
your SEO rankings as it generates a huge amount of spam doorways
that drain your link juice and lower your reputation.
---------------------------------------------------------------
---------------------------------------------------------------
---------------------------------------------------------------